DNS rebinding in Node.js

#VU50955 DNS rebinding in Node.js

Published: 2021-02-25

Vulnerability identifier: #VU50955

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-22884

CWE-ID: CWE-350

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Node.js
Server applications / Web servers

Vendor: Node.js Foundation

Description

The vulnerability allows a remote attacker to perform DNS rebinding attack.

The vulnerability exists due to the application whitelist includes the “localhost6” name. When “localhost6” is not present in /etc/hosts, it is treated an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Node.js: 15.9.0, 15.8.0, 15.7.0, 15.6.0, 15.5.0 - 15.5.1, 15.4.0, 15.3.0, 15.2.0 - 15.2.1, 15.1.0, 15.0.0 - 15.0.1, 14.15.0 - 14.15.5, 14.14.0, 14.13.0 - 14.13.1, 14.12.0, 14.11.0, 14.10.0 - 14.10.1, 14.9.0, 14.8.0, 14.7.0, 14.6.0, 14.5.0, 14.4.0, 14.3.0, 14.2.0, 14.1.0, 14.0.0, 13.14.0, 13.13.0, 13.12.0, 13.11.0, 13.10.0 - 13.10.1, 13.9.0, 13.8.0, 13.7.0, 13.6.0, 13.5.0, 13.4.0, 13.3.0, 13.2.0, 13.1.0, 13.0.0 - 13.0.1, 12.20.0 - 12.20.2, 12.19.0 - 12.19.1, 12.18.0 - 12.18.4, 12.17.0, 12.16.0 - 12.16.3, 12.15.0, 12.14.0 - 12.14.1, 12.13.0 - 12.13.1, 12.12.0, 12.11.0 - 12.11.1, 12.10.0, 12.9.0 - 12.9.1, 12.8.0 - 12.8.1, 12.7.0, 12.6.0, 12.5.0, 12.4.0, 12.3.0 - 12.3.1, 12.2.0, 12.1.0, 12.0.0, 11.15.0, 11.14.0, 11.13.0, 11.12.0, 11.11.0, 11.10.0 - 11.10.1, 11.9.0, 11.8.0, 11.7.0, 11.6.0, 11.5.0, 11.4.0, 11.2.0, 11.1.0, 11.0.0, 11.3.0, 10.23.0 - 10.23.3, 10.22.0 - 10.22.1, 10.21.0, 10.20.0 - 10.20.1, 10.19.0, 10.18.0 - 10.18.1, 10.17.0, 10.16.0 - 10.16.3, 10.15.0 - 10.15.3, 10.14.0 - 10.14.2, 10.9 - 10.9.0, 10.5.0, 10.13.0, 10.12.0, 10.11.0, 10.10.0, 10.8.0, 10.7.0, 10.6.0, 10.4.0 - 10.4.1, 10.3.0, 10.2.0 - 10.2.1, 10.1.0, 10.0.0

External links
http://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for nodejs

Multiple Vulnerabilities in IBM Netcool Agile Service Manager

Multiple vulnerabilities in Siemens SINEC INS

SUSE update for nodejs8

Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

Multiple vulnerabilities in MySQL Cluster

openEuler update for nodejs

Multiple vulnerabilities in IBM Cloud Transformation Advisor

Red Hat Software Collections update for rh-nodejs10-nodejs

Red Hat Software Collections update for rh-nodejs12-nodejs